Search This Blog

Showing posts with label Hacks. Show all posts

US FBI Warned Organisations of the Egregor Ransomware Attacks


The US-based FBI (Federal Bureau of Investigation) has warned of the upcoming ransomware attack against the hospitals and private organizations. They initially gave an alert saying that there was a credible ransomware thread that may harm the hospitals and other private organizations. All of it was done in the wake of the increasing cyber-crime rate in the USA. As the situation worsened, they warned the organizations to stay alert with eyes wide open and patches ready. It noteworthy that since the FBI's warning, one or the other organizations has been becoming a victim of these attacks. 

Initially, the organizations witnessed some issues with their IT system, and then they started receiving some phishing emails from various sites. The suddenness of the events made the organizations trust the warning released by the FBI, as the Egregor's chaos unfolded. 

The Egregor ransomware attack targets the organization worldwide. The threat actors behind the operations hack into the networks of the organizations and steal sensitive data. Once the data is exfiltrated they encrypt all the files and then leave a ransomware note stating that, in case, the organization fails to pay the ransom within the given time, then the stolen data will not only be leaked but will also be distributed to the public by means of mass media. 

The aforesaid Egregor ransomware attack was seen in the threat landscape in September 2020, since then the Egregor gang have claimed to compromise over 150 organizations. They have also claimed to have leaked the data of two of the world’s biggest gaming giants, UBISOFT and CRYTEK. The obtained data of these two companies is posted on the ransomware gang dark web. The incident unfolded the two companies didn't pay the demanded ransom. Despite warnings by security experts, it's difficult to actively avoid falling prey to ransomware attacks, owing to the nature and modus-operandi of such threats. Besides UBISOFT and CRYTEK, other companies namely BARNES & NOBELS, CENOSUD, and METRO’s Vancouver’s agency Trans Link was also on the list. 

“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.” read the FBI's alert. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices".

Such ransomware attacks are performed with the help of Phishing emails that may contain malicious attachments or exploits for the remote desktop protocol (RDP) or VPN's. It must be noted that following the release of the FBI's warning to the organizations – the threat actors have seemingly paced up in response to the FBI's action against them, making the entire picture clearer! 

The Exploitation of Rowhammer Attack Just Got Easier

With an increase in the number of hacks and exploits focused solely on fundamental properties of underlying hardware, Rowhammer, is one such attack known since 2012 which is a serious issue with recent generation dynamic random access memory (DRAM) chips which oftentimes while accessing a column of memory can cause "bit flipping" in a contiguous line, enabling anybody to alter the contents of the PC memory.

All previously known Rowhammer attack methods required privilege acceleration, which implies that the attacker needed to have effectively found and exploited a weakness within the framework. Lamentably, that is no longer true as researchers have discovered that you can trigger a Rowhammer attack while utilizing network packets.

Termed as 'Throwhammer,' the newfound technique could enable attackers to dispatch Rowhammer attack on the said focused frameworks just by sending uniquely crafted packets  to the vulnerable system cards over the Local Area Network.

A week ago, security researchers point by point developed a proof-of-concept Rowhammer attack strategy, named GLitch, that uses installed graphics processing units (GPUs) to carry out the Rowhammer attacks against Android gadgets.

Be that as it may, all previously known Rowhammer attack methods required privilege acceleration on a target device, which means that the attackers needed to execute code on their focused machines either by drawing casualties to a pernicious site or by deceiving them into installing a malignant application.

Tragically, this limitation has now been eliminated, at least for some devices.
Researchers at the Vrije Universiteit Amsterdam and the College of Cyprus have now discovered that sending despiteful packets over LAN can trigger the Rowhammer attack on systems running Ethernet network cards outfitted with Remote Direct Memory Access (RDMA), which is generally utilized as a part of clouds and data centres.

Since RDMA-enabled network cards allow computers in a system to trade information (with read and write privileges) in the fundamental memory, mishandling it to get to host's memory in fast progression can trigger bit flips on DRAM.

"We rely on the commonly-deployed RDMA technology in clouds and data centres for reading from remote DMA buffers quickly to cause Rowhammer corruptions outside these untrusted buffers, these corruptions allow us to compromise a remote Memcached server without relying on any software bug." researchers said in a paper [PDF] published Thursday.

Since activating a bit flip requires a huge number of memory accesses to particular DRAM locations within milliseconds, a fruitful  Throwhammer attack would require a very high-speed network of no less than 10Gbps.

In their experimental setup, the researchers achieved bit flips on the said focused server subsequent to accessing its memory 560,000 times in 64 milliseconds by sending packets over LAN to its RDMA-empowered network card.

Since Rowhammer exploits a computer hardware weakness no software fix can completely settle the issue once and for all. Researchers trust that the Rowhammer risk isn't just genuine but also has the potential to cause serious damage.

For additional in-depth knowledge on this new attack technique, the users' can access this paper published by the researchers on Thursday [PDF], titled
 "Throwhammer: Rowhammer Assaults over the System and Resistances"

Hackers Target Winter Olympics to be Held in South Korea

Cybersecurity company McAfee has discovered that hackers have targeted organizations connected to the Winter Olympics that will be held in South Korea, and have tried to access sensitive information.

The hacking campaign ran from December 22 and is still under investigation by the firm. McAfee has stated that the attacks point to “a nation-state adversary that speaks Korean.”

The attacks seem to have been carried out via emails sent to various organizations which contained a malicious document that would create a hidden black channel inside the computer if enabled. These emails are disguised as being sent by South Korea’s National Counter-Terrorism Council.

The emails were sent from a Singapore IP address and told receivers to open a text document in Korean.

Among those sent the messages are individuals associated with the ice hockey tournament at the Olympics. A report can be seen on their website by McAfee Labs here.

It has been reported that at least one of the recipient was infected by the document, according to a senior analyst at McAfee.